Comment by mcv
4 hours ago
Wero is basically an EU-wide version of the Dutch iDeal system, which in my opinion is the gold standard of how internet payment should work. I shouldn't have to fill in any card numbers on the site of the merchant (which is unsafe). Instead, the payment should redirect me to my bank, where I authorize the payment through my own bank's security system. I've always been annoyed by the need to type in sensitive card info on all sorts of merchant sites. I hope that with EU-wide use, Wero will receive much broader support now.
PIX from Brazil is even better, to be honest. But this is a big improvement over online CC payment.
I lived in the NL and Brazil, so I can compare the two, and while iDEAL is pretty good, PIX is easier to understand, explain, and deal with.
PIX has more variants, you can use it for recurrent payment, split payments, financing, cashout and almost all things a CC can do nowadays.
I would say Tikkie is almost as good and easy to use as PIX usecase wise but has less adoption and variants, also it belongs to ABN which is completely different from PIX approach.
PIX is also better because it gives control back to the central bank (as it was with cash) and not private industry although they are providing the service. The central bank controls what payments are permitted by what laws exist, not some risk management system that has decided that your legal purchase is too risky or some foreign state has applied sanctions against you.
> The central bank controls what payments are permitted by what laws exist, not some risk management system that has decided that your legal purchase is too risky or some foreign state has applied sanctions against you.
That sounds worse to be honest. You're essentially asking for the government to be not only aware of but also able to control all digital payments. That upends how money has worked over (literally) millenia, and is an incredible risk to take. Giving someone in government the ability to block someone's payments and trusting they won't abuse it might be fine as long as good people remain in power, but do you really want to bet the entire nation's ability to live life on that?
Furthermore, wouldn't determining if a payment is legal require prying into details of the transaction that may violate your privacy? And if they make an incorrect determination based on stuff that really wasn't their business in the first place, they now have the force of government behind them, going far beyond merely declining the transaction.
I would think what you should want to advocate for is a system that cannot block payments (at least domestically) just like with cash, and enforcement either happens prior to enrollment, or after the fact through some other traditional law enforcement mechanism (warrants, etc.).
3 replies →
And that's the whole reason why Wero has been made I think. It's because the ECB wants to advance on their digital euro plans due to sovereignty concerns, and I think this push is to dismiss that argument.
That sounds a little authoritarian for many Western countries, I imagine.
77 replies →
Wero is run by the banks themselves, which are in turn controlled/restricted by the central bank. I don't think there's a meaningful difference on that front.
The European ECB isn't really in a position to directly offer services to people, and relying on every country's central banks to cooperate will take decades.
5 replies →
PIX should be the gold standard for this - it’s works perfectly for all use cases that I can think of.
Hell even the homeless people around here take donations in PIX, but you can also buy a house with it. Zero fees involved
> Zero fees involved
Won’t someone think of the profits!
2 replies →
This is a brilliant response. I love personal anecdotes like this that meaningfully contribute to a better conversation on HN.
First: PIX sounds insanely good! I wish I had it where I live.
My follow-up question: Can anyone with experience with India's Unified Payments Interface (UPI) comment about capabilities compared to PIX? It is frequently lauded as one of the best e/mobile payment services in the (developing) world.
iDeal can also be used for recurring payment. I set one up yesterday.
If you like Tikkie, you may like bunq as well.
This is kind of a problem with Wero though [1]:
> The Wero app can be installed on any mobile device or tablet running iOS 16 or later, or Android version 9 or later. We recommend updating your device to the latest version of its operating system for maximum performance, convenience and security.
> It is not possible to use Wero via a web browser or on a computer.
Why the ** am I constricted to using an app on Android or iOS. Ever heard of laptops? Windows? ChromeOS? macOS? Linux in general?
[1] https://support.wero-wallet.eu/hc/en-us/articles/25599074240...
> you can use it for recurrent payment, split payments, financing, cashout and almost all things a CC can do nowadays
But can credit cards really do all those things? You just entrust your credit card number to a party that does it for you, but the credit card system itself isn't taking care of those things like recurring payments.
> PIX from Brazil is even better, to be honest.
You lack the inherent fraud, bankruptcy and other malicious actor protection that Visa/Mastercard provides.
Bought something online and didn't receive your product? With PIX you're SOL, with Visa/Mastercard you get a chargeback.
That is by design. It separates the payment processor so it does just that, just payments. It is like money, once you give it to someone else there is no automatic way to fish it back from their pocket to yours. The correct avenue to deal with fraud, bankruptcy and other malicious actor is the small claims court (or civil court, or criminal court).
The moment you start burdening the payment processor with the roles of judge/referee over all goods and services you end up with the mess we have with CCs where Visa/Mastercard are morality czars that dictate what goods and services are valid or invalid, nuking people and companies out of modern society for their own arbitrary reasons.
Edit: And just to add, you can have "chargeback" for PIX as a separate service, most banks offer PIX insurance that is basically CC chargeback by a different name. But the key is that it is separate from the payment infrastructure itself, it is an insurance service that you contract separately. And that separation ins very important, the insurance company can't roll back transactions arbitrarily, or deny people access to the financial system, they have to pay the victim and then claw back their money in court, which is the appropriate venue to decide who is right or wrong in a transaction.
8 replies →
> Bought something online and didn't receive your product? With PIX you're SOL, with Visa/Mastercard you get a chargeback.
This is no longer the case outside US. Last time I had the account of one of the few credit cards I'm using (on the Visa or Mastercard networks), for transactions I should have been clearly reimbursed / credited, as it used to be the case, actually awarded in my favor, was four years ago. Recent transactions, with proven vendor at fault, ended up with my loss. All over Europe (Im traveling a lot). So no tears shed for Visa or Mastercard losing the EU turf.
> Bought something online and didn't receive your product? With PIX you're SOL, with Visa/Mastercard you get a chargeback.
Visa/Mastercard aren't handling chargebacks, the banks are. With PIX the way to get a chargeback is the same: if you've been victim of fraud you open a claim with the bank, they'll review it, then possibly give you a charge back within a week. This review process might take longer or be denied, which requires a lawsuit.
But it's only less risky for banks to chargeback immediately on Visa/Mastercard because they make so much money from credit card fees that they can afford it.
Yes, but it's a statistically negative sum game for the customer. Visa wouldn't offer such a service if they weren't winning out in the long run, collecting rent on every one of your purchases.
8 replies →
Brazil has a huge advantage in that they've required full transaction-level transparency for tax authorities -- with clearly defined technical requirements -- for almost 20 years now. One can argue whether it's a pro or a con to share this level of detail with the federal government, but it certainly makes taxation easier and fraud prosecution simpler, too.
Visa/Mastercard provides that because the US is a very untrustworthy country. I don't know the situation in Brazil, but here in Europe small claims court just works fine. I think it's pretty dysfunctional to have to rely on private companies for adequate legal protection.
It's not the visa/mastercard that offer chargeback, but the bank.
This looks as a benefit on the surface, but it is not. In the end everybody loses -- the bank, the network, the customer, the merchant.
Good, that's a feature - I don't need my payment processor to have value judgments on my spending.
That has nothing to do with visa/MasterCard. (Well maybe it does in Brasil). In Poland if you use BLIK which is also a national payment network and you get scammed or money stolen from you the bank will also refund you, same as with visa or MasterCard.
Thats a good argument but those are also features that could be provided by the force of government power in a government and country where the government is not and has not intentionally been corrupted, partially for the very purpose of preventing something like digital cash that is anonymous just like cash was before people foolishly gave in to the “convenience” of cards and acting like they had money by using credit cards.
Nah, BLIK from Poland was there earlier and is in many ways better, Wero was unfairly lobbied for by the old European guard, so most of Eastern Europe walked away.
They are now hesitantly joining Wero, supporting it only to downplay and to lobby ECB for an API platform and not for a product.
> BLIK from Poland was there earlier
BLIK was launched in 2015 according to Wikipedia; iDeal is from 2005.
I've used BLIK once, for an online payment from the Netherlands to Poland, and for that it was terrible. I assume it's much better integrated into the Polish system.
Since last year, Colombia has implemented Bre-B, our copy of Brazil’s Pix, and it’s been fantastic. I can’t wait to see it mature to the same level as Pix, and I really hope both systems are eventually linked together.
Wero does have recurring payments planned too (apparently for end of 2026), seems like they're well aware of PIX and racing hard to get into exactly the same space.
It's in theory already possible with iDeal from what I can tell (I've seen companies that use subscriptions set up an initial iDeal payment and then convert it into a regular recurring SEPA Direct Debit), but I'm going to assume that the process is kind of messy since I haven't seen many companies implement the system in that way.
Direct Debit is very nice, largely because your bank manages the subscription; companies have to declare the payment ahead of time and if you get balance mixed up for some reason, then the bank will just do the payment whenever your balance is correct if it happens within a week. I've had credit cards decline on subscriptions before because I didn't have enough loaded up on them. Never had that issue with SEPA.
Either that or "credit cards just work", so very few entities bothered until now.
Tikkie has a different usecase. It's meant for smaller payments between individuals
In fact, you can pay a Tikkie using iDEAL/Wero
PIX is for everything, but Indeed Tikkie is more a p2p tool.
I think Colombian's Bre-B system took heavy inspiration on PIX. It is amazing and so easy to use.
(I haven't tried PIX so not sure) but UPI is really great too and I think that Pix is similar to UPI and UPI was launched by India nearly 4 years ago than brazil.
Anyways, one of the things that I am interested about in payment systems is say creating cross-payments between Pix,UPI and Wero.
UPI is already there for a few countries and there are more trials which are happening and my brother was a bit involved in trying to add UPI to london. (I think it was some efforts by his college perhaps, I am not sure completely.)
For India, the largest points are remittances and for other nations, it gives a really well built payment system and integrates it to more economies.
UPI is accepted in seven countries: Bhutan, France, Mauritius, Nepal, Singapore, Sri Lanka, and the United Arab Emirates (UAE).
> iDeal system, which in my opinion is the gold standard of how internet payment should work
Is it? I see it more as an underwhelming fix for SEPA Direct Debit's inability to verify payment data synchronously.
* iDeal doesn't support basic features like pre-authorization. I'm not even sure if it supports setting up a payment agreement without triggering an immediate payment at all (pretty sure it didn't, when we integrated it a couple of years ago).
* It hands over the customer's IBAN, which isn't really that much safer than a credit card number, since any merchant can trigger a SEPA Direct Debit using it. While you can trigger a chargeback, that requires you to actively monitor for fraudulent transactions, which a decent system wouldn't allow in the first place.
* iDeal recurring payments are SEPA Direct Debit, with all their downsides, like taking days to confirm and a payment that fails due to insufficient funds in the customer's bank account resulting in a significant fee the merchant has to pay (and will probably pass on to the customer).
And Wero has one of the worst, least informative websites I have ever seen. So it's really hard to figure out how it works, and what it supports.
> It hands over the customer's IBAN, which isn't really that much safer than a credit card number, since any merchant can trigger a SEPA Direct Debit using it.
Yes. And they would quickly lose their ability to process any payments. This is the exact same idea as how credit cards work. I don't see my IBAN as a secret, all my friends have it, as thats how they can send me money right to my account.
> that requires you to actively monitor for fraudulent transactions, which a decent system wouldn't allow in the first place.
So that rules out credit cards too, exact same system.
I'm not familiar with pix mentioned in the other threads, but I am not familiar with any other system that is better
No. The bank gives you a prominent notification when someone new gets a direct debit authorization for your account. And a merchant gets banned quickly when they misuse their debit authorization.
> pre-authorization
If you need pre-authorization use credit, iDeal is a debit system.
> It hands over the customer's IBAN
SEPA Direct Debit requires my consent one time on my banking app.
Giving out your IBAN number is generally safer then giving out your Credit card number, date of expiration and cvv code.
Additionally it allows for things like name to account checking, therefore making it less likely you will be scammed.
I was under the impression that direct debit requires an initial authorization from the account owner? Otherwise anyone with your bank account number can pull your account funds and bank account numbers are hardly a private information (unlike a cc where you need the card number/expiry/cvv code and generally a correct address)
Yesterday I was renewing my vehicle registration through my US states website. They offered a range of payment options using embedded options on the site. The direct bank account option had the lowest fee but when I tried it I was immediately scared of the security. They used a 3rd party bank account transfer provider that asked me what bank I used and looked like it was going to prompt me for my login info before it errored out and I moved on.
Why can't the US have sane banking standards instead of this mess where you have to agree to a new 3rd party TOS and EULA for every purchase you want to make.
What you see is a glued or patchwork to make the things work somehow with the existing state of things. Strictly speaking, a lot of banks do not offer API support and yet these third party tools are able to orchestrate a flow with is nothing less than man-in-the-middle-attack.
The change if it happens at all, across the board to streamline can only from from government mandate. The industry is always going to go for finding some low cost option to achieve the target. The private players are always going to optimize for short term gains.
When using a government website, you were intimidated by the security posture of... Plaid? (Genuine question, maybe this was some other provider but Plaid's aggregator tool is the most common place I see this pop up in real life for ACH)
If any site asks me for my bank login credentials, I run far away and start checking if I've made any security mistakes. So far Paypal is the only credentials I'll enter after a redirect.
I personally have _no idea_ what the security posture of plaid is. I know they're a startup and made a bit of noise a few years ago, but if I was trying to buy something and a third party app popped up saying, "hey give me total access to withdraw directly from your bank account for a sec", why on earth would I say yes to that?
It also seems to go against common security advice. "Never log into your back account if redirected by a website you sort of, but don't really trust, except sometimes its alright and it's up to you to tell the difference" is a terrible way to secure banking.
Interestingly in a number of African Countries (Uganda, Kenya, Tanzania etc) , we have “Mobile Money”, Payments are instant, via USSD, no internet required, I can even pay online using USSD push.This is a classical example of humans using what they have to build what they need , no fancy internet enabled smart phones required. I can send money anytime instantly to my grandma deep in the village. She can withdraw from or top up her account in the numerous mobile money stalls that are everywhere. You pay school dues, medical bills , groceries via mobile money. I don’t remember the last time I visited a bank, hell I can even get an instant loan by just dailing *165# on my no internet feature phone.
That's still a man in the middle coordinating the payments (mpesa, etc...) and essentially holding both sides of the transaction. When you send money to somebody with mobile money you're sending it to the mobile network operator who then let's the other person know so they can move the money to somebody else (or cashout or leave it there).
It's not really a federated system because you can't for instance send money from mpesa in kenya to a different provider in uganda.
Actually you can send money (cross border payments ) to another country that also has mobile money, I can send money to a Kenyan, Tanzanian etc all I need is their Phone number. I am not sure what you mean by “holding both sides of the transaction “, when you send me money it appears in my balance (which I can check via a USSD query), it’s essentially a bank account but on USSD and sms. A lot of cross border payments are now settled via USSD. Hell I can now get a Visa/Mastercard by just dailing a code and I will have payment details with my name and address.
Are you referring to m-pesa?
the mobile money while convenient r not exactly secure due to MITM.
I'm just not sure this directly competes with MC/Visa the way the article suggests.
Didn't other EU countries already have something similar to iDEAL, as opposed to using credit cards? And now we're just consolidating them?
Also, isn't this just about online payments? Who's going to pay for a coffee with either Wero or a credit card? AFAIK most EU consumers use direct debit cards for in-store payments (those countries where cash is no longer popular), be it via Apple Pay / Google Pay or not. Many a card of which by the way is directly or indirectly powered by Visa or Mastercard.
At any rate, I don't see EuroPA or Wero break the 'hegemony' of Visa/MC the way this article claims.
I can only speak for my countries, but almost all payment terminals now have the option to scan a QR code with your mobile banking app to pay using Wero.
That's good. Maybe I haven't seen it because direct debit via contactless (including Apple Pay) is faster, hence the default, where I am (Netherlands).
> At any rate, I don't see EuroPA or Wero break the 'hegemony' of Visa/MC the way this article claims.
You're right, it does not. But it's a significant step towards that goal. In-store payments are next on the agenda.
As usual if there is reasonable competition this limits what the established actors can and will do.
> should redirect me to my bank
Eugh. The problem with that is that people don't verify they've actually been sent to their bank. An attacker will set up fake merchant sites, pay for Google ads to get your traffic, then have you log into your bank to pay for things.
The more we normalise this, the quicker people will fall for it.
If they haven't been redirected to their bank, verifying with their mobile banking app using a QR code will not work.
So I have to get out my phone every time I use my credit card on my computer?
1 reply →
I think any dutchie can vouch that iDeal has been amazing. I would also like to add that Wise has been amazing for american payments. I needed it for Anthropic at the time, and this worked good enough
Certainly better and easier to say than Chipknip!
Funnily enough, the ECB's Digital Euro initiative has a lot in common with the chipknip, except you can now also charge your wallet with larger amounts of money.
1 reply →
RIP chipknip. But let’s appreciate its ambition: electronic payments without being online.
Does this work as a credit card system or for debit only?
Instead, the payment should redirect me to my bank, where I authorize the payment through my own bank's security system.
That is really cool. I would like to see that system in the US given that my bank has IP restrictions for my account. I would also like the ability to pre-approve specific vendors for specific amounts within each bank as a native service all banks should support.
There is a 3DSecure system for existing Visa, Mastercard, and American Express. After typing your card numbers, the transaction doesn’t immediately go through but you are also redirected to the bank’s system. Banks can ask you to use a hardware token, an app, or any other second factor to approve the transaction.
It’s a shame that this system isn’t ubiquitous for the rest of us not in EU.
> After typing your card numbers
Yes, but the whole point of Wero is that you don't have to type in a bunch of info that can be easily stolen. With Wero (and many other international solutions), you just scan a code with your phone, and your banking app handles the transactions. The existing legacy solutions are just duct tape on an existing system.
If 3DS and chip + PIN card usage were ubiquitous, the value of a stolen card number and even card would be zero, and this entire problem would go away.
Unfortunately, legacy deployments have just proven too pervasive to effect real change, even with substantial incentives, especially in early card adopting markets such as the US.
2 replies →
But what's the value of stolen card data? It always requires 2FA to be used. It's just routing information to your bank.
Are there still cards that work without 2FA?
So you have to use a phone or does it work without one?
Does it handle credit card payments?
3 replies →
Does it mean that instead of depending on the Visa/Mastercard duopoly you now depend on the Google/Apple duopoly?
2 replies →
If this system is ubiquitous stealing your card number would be useless. Your card number becomes a user name like jonkoops that you would have no qualms sharing.
> you just scan a code with your phone,
And authorize yourself with the banking app, and, and...
It's not less complicated than auto filling credit/debit card details with your finger print on your phone or laptop.
For consumers, Wero, Pix, and similar systems only have down sides for online use. The most important down side is that you can't reclaim your funds if you've been the victim of fraud. Which you can when paying by card.
1 reply →
The problem with 3D Secure is that the merchant can unilaterally decide not to use it, which defeats the whole purpose of 3D Secure.
> the merchant can unilaterally decide not to use it
If they do so, they are telling the card issuer that they are happy to be on the hook for chargebacks/fraud. It's not an decision without consequences
1 reply →
I tend to associate ignoring 3D Secure with Stripe. In the name of "less friction" of course.
non-3DS payments are trivial to chargeback, at least in the EU
2 replies →
The problem is that these are all US systems.
This is pretty much every payment I do in Finland works. Always have to go and verify it using my online banking credentials after I've entered the numbers. Does make me wonder why I need to bother with the whole number, expiry and CVV bullshit anyway.
Wero is super confusing. They're in the business of acquiring different methods (I don't even know if they always buy them outright or if they merge or they are just associated in some way), branding them ALL wero, and announcing that every payment in every channel will be rolled out SOON via wero, without ever offering specifics.
So in The Netherlands wero is the new name of eCommerce payments, but in another country the new name for peer2peer. But no idea when p2p will launch in the Netherlands or when eCommerce will launch elsewhere. And if the existing services will be degraded when they are internationalized or merged.
iDEAL is a killer name
Banks and Visa/Mastercard probably love that you fill out your CC details on an online store, and next time you can just 1-click pay. Probably causes a big jump in revenue/profit. That's why they never innovated much.
Of course, it is incorrect, and digital payments everywhere (on a kiosk or online) should be intentional pushes, not pulls.
I want many payments to be pull-based (at least I'd go crazy having to positively sign off every utility bill and subscription), but the ideal user interface for pull payments shows who exactly is pulling what, with a few days notice, and a one-click way to cancel any standing authorization.
That still works. There are three entities: customer, bank and merchant.
The merchant should never be able to pull from your bank account. However, the merchant can send an invoice for a payment. Either the customer manually pushes the payment, or delegates to the bank that each invoice from merchant X should immediately result in a payment push [1].
The difference from the pull system is that the customer can at any point end this automatic push payment, but in the pull system the customer can only beg the merchant (eg. the gym) to stop charging their account.
[1] Or even better in an ideal world, delegate this pushing to their local finance app. So the bank can't put roadblocks for a customer cancelling a subscription.
Something something capability-based finance something something
You could still have this 1-click experience with another system.
Like you could set some rule like “this vendor is approved for charges below $50”. We don’t need the legacy system for that.
(I don’t know if any payment systems can do that atm, just that if we wanted we could make them do that)
Visa seemed not to care too much about fraud though so at some level they do prefer ease of use over security
The redirect to a bank is worrying, isn’t it trivial to fake redirecting to a fake bank ?
You'll need to fake much more than just that. Usually the bank website will ask you to confirm the transaction by opening the banking app on your mobile phone.
Trading a dependency on MasterCard and Visa for one on Google and Apple is at best a sidegrade. More likely you end up worse off.
1 reply →
Not really, since in modern 3DS implementations, the redirect pretty much only shows a modal saying "check your phone for a notification and confirm this payment there".
Worst case, you'll be entering a one-time code received out of band, e.g. via SMS, and that message will mention what you are consenting to by entering it anywhere, so even MITM attacks are very hard.
The days of entering a static password in 3DS are long gone.
not really, the redirect itself is happening at EMV DS level, not by the merchant himself. Merchant has no idea what bank your card belongs to, so he does not know which bank to redirect you to.
What about authentication?
I remember living in Belgium this was the case, and I always had to go and find that stupid physical barcode reader that I then had to hold against the screen, sign in with my debit card, PIN, enter the Euro amount, and then sign the transaction.
Now that I live in the USA, I have my credit card number in Bitwarden, with expiration date and CVC.
When I want to buy something, I let it autofill, and I don't have to verify and / or sign any transactions, bar high price ones (e.g. new $5k TV from Best Buy).
And in terms of security? It's a credit card. I review my statement every month. If I didn't make the purchase I call the fraud department and the charge is removed. Last time I did that they didn't even ask me questions.
I'd take Apple pay over the old(?) EU system.
The physical barcode reader is long gone in Belgium. Instead, you scan the QR code with your banking app (or on mobile, click a link to open the banking app), and either verify directly for amounts under €250 (?), or verify big amounts with ItsMe, another app, using Face ID.
> I remember living in Belgium this was the case, and I always had to go and find that stupid physical barcode reader that I then had to hold against the screen, sign in with my debit card, PIN, enter the Euro amount, and then sign the transaction.
I can't talk about Belgium but from what I've read, the dutch iDeal system requires nothing of the sort. It seems to act as a broker between your bank and the business, and a user's input is limited to pick the bank you use and approve the payment through your bank's app.
It used to be the case in the Netherlands with iDeal that you'd use your bank's e.dentifier for two factor auth (a physical device that you'd put your card into to get a code you could then put into the website to verify) - they replaced this with using your banking app sometime over the past 10 years.
When using the web interface some banks still offer the physical reader (which I prefer), but the banks are pushing hard to move to the phone app.
there's the polish BLIK which is basically the same idea and there are probably a dozen more in other countries; need consolidation in this space tbh
Providing credit cards online even by phone for 20 years I have never had any issues, or known anyone who had issues. The few occasions my cards were compromised (all my own fault): a restaurant in Vienna pre Covid when cash was king in Europe, I insisted to use the card and the waiter took it inside lol. Got a 4000k cruise booked a few weeks later. Another time at an ATM in Brazil, I even noticed the suspects around the machines waiting and still went for it. A gas station ATM in NYC. That’s about it. Every time I called the bank and they refunded the money. So what I’m saying is security doesn’t seen to be a big issue in the US when it comes to online transactions with credit cards. Of course this is all subjective from my own experiences, but I’m kind of reckless using cards so I’m probably a good test subject.
But most people here don't want credit cards; risk of spending what you don't have just works differently over there outside mortgages. And then this new stuff is just objectively better: debit cards, even though you will get the money back mostly, makes it a hassle as you basically pay the lowest fees possible and never credit so fraud really sucks. And makes no sense; away with those cards; we do not need them anymore.
Individual experience is rarely an accurate representation of the broader system.
try getting a refund for fraudulent card charge in other countries except the US.... most other banks in LATAM/EU will not simply "refund" you the money.
In Denmark i currently have to enter my card details but then, i get a popup where i have to enter my government issued ID username and scan a QR code from the related app (or enter from a 2fa token generator)
Its annoying - but it feels quite secure
One thing that surprises me a lot is that in order to use Wero with my ING account, I have to give access to my contacts, which I ultimately am not going to do. I wonder how the European payment system can be so ignorant of their customers' privacy.
That has nothing to do with Wero, that's just your bank (ING) being stupid.
Most online merchants redirect me to my bank's web page when I enter my Visa credit card number. In theory it should be possible to have a card number that by itself is useless and always requires an external confirmation?
with a mastercard from a swedish bank that is the experience that i get. all online transactions pop up a page from my back with qr code, this is authenticated through an app that shows me the transaction details and requires pin confirmation.
> Instead, the payment should redirect me to my bank, where I authorize the payment through my own bank's security system.
That's basically Paypal and everyone still shits on them.
I don't think I've ever heard anyone complain about the actual PayPal payments flow. Most complaints are around seizing large balances due to suspected fraud...
paypal goes to great lengths to not be regulated as a bank, right?
It works very good and user-friendly, but iDeal had a disadvantage: chargebacks aren't possible. Whether Wero has the same issue, I do not know.
In fact a unique payment ID (e.g QR) to "push" payment is even safer. No redirect. That's how payment should be. Not an authorization given to pull from us, but the agency for us to push the amount.
This is exactly what India's UPI (Unified Payments Interface) works. No PII, just a UPI ID is given and the user gets a push notification in Android/iOS app for approval (with PIN or security enclave like fingerprint).
In fact, there is EPC code, but it is rarely used and bank support is abysmal, at least in our country. But that can also be because we have some homegrown local standard for payment QR codes (and a new one in the works, lol).
[0] https://en.wikipedia.org/wiki/EPC_QR_code
If I am understanding you correct, isn't this what UPI does already?
Yes. Common among Asian countries. Where authorizing a 3rd party to pull money isn't natural. Among the main reasons Uber failed there.
I thought it was an EU wide version of the belgian PayConiq
I recommend also have a look at how eCommerce is done in Chile, e.g. Transbank (WebPay), FinToc and others. Chile passed some very good FinTech legislation a few years ago.
This is one of the reasons I opt for PayPal in the US when I have the choice. I've been in too many breaches. Direct to bank would be better, but I trust PayPal's security more than a random ecommerce website's security.
I caution PayPal would only work if you trusted the original shopping site, and perhaps your "credentials" got breached and used illicitly elsewhere. I got banned from PayPal after I tried to buy an electrical switch, was on an (apparently scam) website, never received the item, and opened a PayPal dispute. The scammer somehow convinced PayPal the item I tried to buy was illegal/against PayPal ToS, which resulted in them banning *me* instead of the scammer.
On the other hand, I see an unknown charge on my credit-card, dispute with my bank, and it's handled.
No way on PayPal,venmo, or any company associated with Paypal... I got screwed over with an unauthorized transaction on my credit card that was attached to a PayPal account... They refused to acknowledge the transaction as unauthorized... My Credit Card that was charged (Amex) on the otherhand, reversed the transaction within 24hours
That’s how giro payments work. Same for Klarna.
How does the website know which bank to redirect to?
A dropdown is offered and the choice is remembered.
as it was the case in Baltic states since forever. Payments with CC came much later.
Making a note of this as an obvious technical alliance that should have existed for decades.
> I shouldn't have to fill in any card numbers on the site of the merchant (which is unsafe). Instead, the payment should redirect me to my bank, where I authorize the payment through my own bank's security system.
To be honest with multiple banks in Germany, without Wero, works like that too..
I'm annoyed by redirects that won't work if you set a different default browser or incognito mode as default for new tabs. Total BS.
Card numbers just work.
Also, payment "apps" that pack their own web engine and need 300-500 megs D/L, plus refuse to run on rooted / "unvetted" systems. No fucks given! Go away, give a browser and numbers.
If you don't set a default browser, you'll be prompted what browser to open redirects and such in every time.
Unfortunately you still can't easily distinguish between normal browsing and private browsing that way (though browsers could implement that in theory), but I ran that setup for a while back when Firefox couldn't integrate with the App Tabs or whatever it's called where Android apps have their own minimal UI around a full screen web view (which used to always be Chrome).
Card numbers don't work because the business receiving the payment doesn't automatically get a signal from the bank when payments come in without an annoyingly complicated banking integration, which is exactly what these new services intend to solve. They do work for the consumer in some cases, and I have been paying for some online services with regular old bank transfers in cases where I didn't need a payment to go through the same day. That doesn't mean it's an equivalent system in most cases.
If your banking app doesn't run on your device because of something as silly as root detection, you should find a better bank.
Perfect opportunity for browser or OS API to provide the feature, where we could make it more streamlined, secure, and consistent.
I like the friction to decide against frivolous spending...
iDeal is terrible for fraud. Consumers have to file a police report.
Indeed, it's terrible for fraud, as fraudsters are more likely to land behind bars.
> Wero is basically an EU-wide version of the Dutch iDeal system, which in my opinion is the gold standard of how internet payment should work.
For some reason, most Dutch people are convinced that the way things work in the Netherlands is the gold standard of how things should work in general, and are very hostile to solutions from other countries even if those solutions are better by any sensible metric. This is especially painful when a less developed country does leaps around NL in some aspect, like:
1. In Poland, you don't need to carry any documents with you because if policeman stops you, he has access the police database anyway. This includes driving license.
2. Even if you really want to show a document, you can do it gasp on your phone screen with the official government app.
3. Albert Heijn, the most popular supermarket chain, started accepting Visa and MasterCard in 2023. Not in 2003, in fucking 2023.
4. The adoption of paczkomaty is pathetic and when you have a delivery the expectation is that you're supposed to sit and wait the entire day at home.
5. iDeal launched 2005. Przelewy24 launched in 2004. They function in exactly the same way.
In reply to .3: bancontact is nearly free per operation, but credit card were percentage heavy fee per transaction... That's why. And don't forget that the Netherlands, Belgium and Luxembourg will prefer debit over credit for payment.
Don't forget that the banking world is still under a lot of pressure from the various government (systemic risk assessment for example) and the stakeholders. It's a mess!
3. Yeah, the previous system we used was just too cheap and efficient. Credit cards are still not common.
4. We're indeed a bit later than elsewhere, but there are many now.
/rant? :-)
1. sounds nice though! But how do they verify that it's actually you? Just matching the photo manually? People are terrible at that. Or do they scan a fingerprint?